TrojanSpy.Win32.Muyem.A

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals system information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

• %ProgramData%\{Random String}
• %ProgramData%\{Random String}\files
• %ProgramData%\{Random String}\files\Autofill
• %ProgramData%\{Random String}\files\CC
• %ProgramData%\{Random String}\files\Cookies
• %ProgramData%\{Random String}\files\Downloads
• %ProgramData%\{Random String}\files\Files
• %ProgramData%\{Random String}\files\History
• %ProgramData%\{Random String}\files\Soft
• %ProgramData%\{Random String}\files\Soft\Authy
• %ProgramData%\{Random String}\files\Wallets
• %ProgramData%\{Random String}\files\Wallets\ElectronCash
• %ProgramData%\{Random String}\files\Wallets\Electrum
• %ProgramData%\{Random String}\files\Wallets\ElectrumLTC
• %ProgramData%\{Random String}\files\Wallets\Ethereum
• %ProgramData%\{Random String}\files\Wallets\Exodus
• %ProgramData%\{Random String}\files\Wallets\JAXX
• %ProgramData%\{Random String}\files\Wallets\MultiDoge

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)

Dropping Routine

This Trojan Spy drops the following files wherein it saves the information it gathers:

• %ProgramData%\{Random String}\c
• %ProgramData%\{Random String}\history
• %ProgramData%\{Random String}\ld
• %ProgramData%\{Random String}\historych
• %ProgramData%\{Random String}\wd
• %ProgramData%\{Random String}\files\cookie_list.txt
• %ProgramData%\{Random String}\files\outlook.txt
• %ProgramData%\{Random String}\files\information.txt
• %ProgramData%\{Random String}\files\screenshot.jpg
• %ProgramData%\{Random String}\files\Autofill\Google Chrome_Default.txt
• %ProgramData%\{Random String}\files\CC\Google Chrome_Default.txt
• %ProgramData%\{Random String}\files\Cookies\Google Chrome_Default.txt
• %ProgramData%\{Random String}\files\Cookies\cookies_Mozilla Firefox_dxxbjsgn.default.txt
• %ProgramData%\{Random String}\files\Cookies\Edge_Cookies.txt
• %ProgramData%\{Random String}\files\Cookies\IE_Cookies.txt
• %ProgramData%\{Random String}\files\Downloads\Google Chrome_Default.txt
• %ProgramData%\{Random String}\files\Files\Default.zip
• %ProgramData%\{Random String}\files\History\Google Chrome_Default.txt
• %ProgramData%\{Random String}\files\History\history_Mozilla Firefox_dxxbjsgn.default.txt

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)

Download Routine

This Trojan Spy accesses the following websites to download files:

• http://{BLOCKED}est.com/380
• http://{BLOCKED}est.com/freebl3.dll
• http://{BLOCKED}est.com/mozglue.dll
• http://{BLOCKED}est.com/msvcp140.dll
• http://{BLOCKED}est.com/nss3.dll
• http://{BLOCKED}est.com/softokn3.dll
• http://{BLOCKED}est.com/vcruntime140.dll

It saves the files it downloads using the following names:

• %ProgramData%\freebl3.dll
• %ProgramData%\mozglue.dll
• %ProgramData%\msvcp140.dll
• %ProgramData%\nss3.dll
• %ProgramData%\softokn3.dll
• %ProgramData%\vcruntime140.dll

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)

Information Theft

This Trojan Spy steals system information.

It gathers the following data:

• User credentials from the following:
  • Telegram Desktop
  • Mozilla Thunderbird
  • Filezilla
• Screenshot of the desktop during execution
• Browser Information
  • Autofill Data
  • Cookies
  • Browsing History
  • Download History
  • Browser Credentials
• System Information
  • ISP
  • Coordinates
  • ZIP
  • City
  • Country
  • IP
  • Video Card
  • RAM
  • CPU Count
  • Processsor
  • Time Zone
  • Local Time
  • Keyboard Language
  • Display Language
  • Display Resolution
  • User Name
  • Computer Name
  • Windows OS
  • Working Directory
  • GUID
  • Machine ID
  • Date
  • Version

Stolen Information

The stolen information is saved in the following file:

• %ProgramData%\{Random String}\files\US_{GUID}{Date}.zip

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)

It sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}est.com

Other Details

This Trojan Spy connects to the following URL(s) to get the affected system's IP address:

• http://ip-api.com/line/

It does the following:

• Does not proceed with its routine when the default user locale name are any of the following:
  • Russian
  • Belarussian
  • Uzbek
  • Kazakhstan
  • Azerbaijani
• It targets the following browsers:
  • Chedot
  • Mustang
  • Suhba
  • TorBro
  • Elements
  • Cent
  • QIP
  • URAN
  • CocCoc
  • Vivaldi
  • Epic Privacy
  • Sputnik
  • Maxthon5
  • Nichrome
  • Comodo Dragon
  • Opera
  • Orbitum
  • Torch
  • Amigo
  • Kometa
  • Chromium
  • Google Chrome
  • K-Meleon
  • IcaCat
  • BlackHawk
  • Cyberfox
  • Waterfox
  • Pale Moon
  • Mozilla Firefox
• It may also possess the capability to steal information from various cryptocurrency wallets:
  • *btc*.dat
  • *wallet*.dat
• Targets the following cryptocurrencies:
  • JAXX
  • MultiDoge
  • ElectronCash
  • Electrum
  • Electrum-LTC
  • Ethereum
  • Exodus
• Will try to delete itself, the information gathered, and its network activity to destroy any evidence of its execution